search

cyrilgdn / terraform-provider-postgresql

Terraform PostgreSQL provider
https://www.terraform.io/docs/providers/postgresql/
Mozilla Public License 2.0
397 stars 204 forks source link

Injecting RDS cert bundle for `sslrootcert` argument of provider #78

Open dontspamterry opened 3 years ago

dontspamterry commented 3 years ago

Howdy!

Thanks for this provider! I'm using Aurora Postgresql 12.4 and would like to inject the RDS cert bundle (from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem) that I have stored in Secrets Manager as plain text. I am using the Terraform data lookup for aws_secretsmanager_secret and aws_secretsmanager_secret_version to lookup the secret and get its value, respectively. My secret lookup and provider config look like:

data "aws_secretsmanager_secret" "rds_cert_bundle" {
  name = "/rds/cert/bundle"
}

data "aws_secretsmanager_secret_version" "rds_cert_bundle_version" {
  secret_id = data.aws_secretsmanager_secret.rds_cert_bundle.id
}

provider "postgresql" {
  host             = var.metadb_cluster_endpoint
  port             = var.metadb_port
  database         = "postgres"
  username         = var.metadb_user
  password         = var.metadb_password
  superuser        = false
  sslmode          = "verify-full"
  sslrootcert      = data.aws_secretsmanager_secret_version.rds_cert_bundle_version.secret_string
  connect_timeout  = 15
  expected_version = "12.4"
}

When I run a plan, I receive the error:

Error: missing "=" after "MIIEBzCCAu+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT" in connection info string"

The newlines separating the cert contents are causing problems as I do not get this issue if I specify a local path pointing to the downloaded cert bundle. Is it even possible to inject the cert bundle via a secret?

Terraform Version

Terraform 0.14.8

Affected Resource(s)

provider "postresql"

Terraform Configuration Files

See code above

Debug Output

See code above

Panic Output

n/a

Expected Behavior

Not sure. Would like to find out if I can inject a cert bundle from a Secrets Manager lookup.

Actual Behavior

Error: missing "=" after "MIIEBzCCAu+gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZQxCzAJBgNVBAYTAlVT" in connection info string"

Steps to Reproduce

The error above occurs when I perform a terraform plan

References

https://github.com/cyrilgdn/terraform-provider-postgresql/issues/8

lawliet89 commented 3 years ago

AFAIK, sslrootcert is the path to the CA file,, not the CA PEM itself.

dontspamterry commented 3 years ago

AFAIK, sslrootcert is the path to the CA file,, not the CA PEM itself.

Hi @lawliet89 , yes, sslrootcert is the path to the CA file. I was curious if another avenue existed to inject the PEM. It's not really an issue as we plan to apply the terraform via CICD and can easily bake the PEM into our image or download it as part of a pre-requisite step in the pipeline. Will close this issue out.

SovakPaleny commented 3 years ago

Please reopen this issue. It's possible to work around this, but it's very useful to fill sslrootcert from the output of a different resource without creating a file. There is no option to do it in a plain terraform.

dontspamterry commented 3 years ago

reopened, per your request @SovakPaleny :smiley:

lawliet89 commented 3 years ago

Agreed that it's nice to be able to provide it via a PEM string. I think a workaround you can try now is to use a local_file, but not sure if that will work with provider configuration.

cyrilgdn commented 3 years ago

Hi,

Thanks for opening this issue and sorry for the response delay.

The libpq librabry requires a path to the certificate, I'll check if the provider could store the pem in a temporary file but I need to check if there's an easy way to clean it at the end and I also prefer to ask to Terraform's developers if it's recommended or not.

There is no option to do it in a plain terraform.

I think a workaround you can try now is to use a local_file, but not sure if that will work with provider configuration.

Meanwhile you can indeed create a local_file to store the cert, it'll work with in plain Terraform.

SovakPaleny commented 3 years ago

Hi @cyrilgdn, thank you for the information. local_file does not work, sorry. In case of ca change, you are not able to execute the plan because the plan preparation for PostgreSQL resources will use the current file on disk (if exists at that time) that is stale, so the plan will fail. Of course, you can execute terraform apply -target ... on the local_file resource before each execution of the plan, but it's not a good workaround at all. I may miss something, but I do not see any other terraform-native solution besides creating a file on the disk by the provider. The bad solution is to create this file on each libpq execution, but still way better than local_file. Thank you very much for your effort to find a working solution.